Add more notes on security

[TheAssassin]

The README proposes a very unsafe setup. This PR at least documents the problems

CC #62.

[TheAssassin]

Huh? Seems GitHub updated their ToS and removed that restriction? https://help.github.com/en/github/getting-started-with-github/types-of-github-accounts

Does anyone have some evidence on this? Running multiple bot accounts just adds some setup complexity but greatly increases security, so I would very much appreciate if that rule went away!

[TheAssassin]

Hm, no, still there: https://help.github.com/en/github/site-policy/github-terms-of-service

• You must be a human to create an Account. Accounts registered by "bots" or other automated methods are not permitted. We do permit machine accounts:
• A machine account is an Account set up by an individual human who accepts the Terms on behalf of the Account, provides a valid email address, and is responsible for its actions. A machine account is used exclusively for performing automated tasks. Multiple users may direct the actions of a machine account, but the owner of the Account is ultimately responsible for the machine's actions. You may maintain no more than one free machine account in addition to your free User Account.
• One person or legal entity may maintain no more than one free Account (if you choose to control a machine account as well, that's fine, but it can only be used for running a machine).

[TheAssassin]

We're not the only ones affected by this issue. That bit is quoted regularly, e.g., in rust-lang/crates.io#849 (comment).

Maybe someone should try to make GitHub change this rule? https://github.com/github/site-policy/blob/master/CONTRIBUTING.md